Much of the communication in the Internet involves at least one client making a request to a web-server, and the web-server responding to the client's request. By web-server, we mean a device or collection of devices (e.g., datastore, directory, machines, and software) that communicates with a client using the HTTP Protocol. For a particular web application, we define an origin web-server to be a web-server that is completely trusted with the functions and data of a web application with regard to the security policy for the application.
As a way to shorten the length of time that the client must wait for a response and to lighten the load on the Internet and origin web-server, techniques have been developed to allow the client to be serviced by a proxy web-server, also referred to simply as a proxy, where the proxy web-server is usually closer to the client or more lightly loaded than the origin web-server.
Proxy web-servers can be integrated into the Internet communication process in several different ways. In some configurations, clients always make requests to a proxy web-server rather than the origin web-server. The proxy web-server may respond to the client, fetching content from the origin web-server as necessary, or the proxy web-server may refer the client to another proxy web-server or the origin server if the proxy web-server is unable to satisfy the client's request. In other configurations, a client first makes a request to the origin web-server. The origin web-server may refer the client to a proxy for the current request or all future requests, or the origin web-server may respond to part of the client's request, but refer the client to a semi-trusted web-server for a portion of the response.
In most cases, the content offloaded to a proxy web-server has been limited to non-sensitive data, so that access control schemes are not required. Non-sensitive data is defined as data which does not require any access control, and may be accessible to any user on the network. On a typical web-page, embedded images are an example of non-sensitive data. On the other hand, restricted data or sensitive data is defined as data which has some restrictions on who can obtain it. Examples of restricted data include pages that are obtained by subscription to a set of registered users, images that are available to a restricted set of users, or data can is personalized for a specific user.
Common subscription services and personalized content on the Internet are increasing, and they should also benefit from the performance gains afforded by proxy web-servers. The restricted information requires the proxy web-servers to have access control methods in place, but the situation is complicated because in many cases the proxy web-servers are not under the control of the content providers. Such proxy web-servers fall into the class'of semi-trusted web-servers. For a particular web application, we define a semi-trusted web-server to be a web-server that is partially trusted for the functions of the application with regard to the security policy for the application. In particular, a semi-trusted web-server may be trusted for authorization, access to user identifiers, SSL tunneling to an origin web-server for content, and non-sensitive transactions, but the semi-trusted web-server may not be trusted with long-term sensitive data such as user passwords or secret keys for an origin web-server.